WordPress Plugin Scripts Tampered to Plant Backdoors

Attackers tampered with JavaScript files for PushEngage, OptinMonster, and TrustPulse to create hidden admin accounts on WordPress sites. The malicious code activated only when a logged-in administrator loaded the script. PushEngage's exposure lasted several hours; OptinMonster and TrustPulse had a 25-minute window on June 12.